Excerpts from Hans de Goede's message of Mon Jul 20 17:46:41 +0200 2015: > Hi, > > On 20-07-15 11:51, Christophe Fergeau wrote: > > Hey, > > > > Looks good te me now. > > Hans, would you mind taking a quick look at that > > patch in case you have objections on the change (if > > spice_usb_acl_helper_open_acl_finish() fails, try to directly open the > > device node anyway as it may be user-accessible). > > I do not think that this is the right thing todo, this means e.g. > that if policykit / the admin explicitly denies redirection, but > the usb device node happens to be opened up (which happens with > e.g. scanners), then we will still redirect, this seems wrong to me. > > Instead Michal should fixup his policykit so that the helper works > for him. Hello, this policykit thing is spice-specific afaik. The standard way to set up permissions which works with anything that accesses USB devices is udev rules. I set up udev rules to access these devices and I cannot redirect them. In fact if Debian maintainers did not compile in support for policykit I could redirect the devices which I can access. So effectively compiling in support for policykit denies redirection of perfectly accessible devices which is in my view wrong. If your scanner devices happen to be accessible to you (probably because you are member of the scanner group) then you can access those devices with any random software and should be able to redirect them with spice. It's system administrator's job to add and remove users from the scanner group or perform other action to make the scanner devices accessible or inaccessible to particular users. It is not spice's job to 'correct' or 'homogenize' permissions between policykit and device nodes. If the device is accessible it should be redirected. If it's inaccessible it cannot be redirected. Policykit helper is just another means to access the device. Thanks Michal _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel